[x]

RBAC commands > permit vlan

 

 Next

permit vlan

Use permit vlan to configure a list of VLANs accessible to a user role.

Use undo permit vlan to remove the permission for a user role to access specific VLANs.

Syntax

permit vlan vlan-id-list

undo permit vlan [ vlan-id-list ]

Default

No permitted VLANs are configured in user role VLAN policy view.

Views

User role VLAN policy view

Predefined user roles

network-admin

mdc-admin

Parameters

vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, vlan-id2 must be greater than vlan-id1.

Usage guidelines

To permit a user role to access a VLAN after you configure the vlan policy deny command, you must add the VLAN to the permitted VLAN list of the policy. With the user role, you can perform the following tasks on the VLANs in the permitted VLAN list:

You can repeat the permit vlan command to add permitted VLANs to a user role VLAN policy.

The undo permit vlan command removes the entire list of permitted VLANs if you do not specify a VLAN.

Any change to a user role VLAN policy takes effect only on users who log in with the user role after the change.

Examples

  1. Configure user role role1:

    # Permit the user role to execute all commands available in interface view and VLAN view.

    <Sysname> system-view
[Sysname] role name role1
[Sysname-role-role1] rule 1 permit command system-view ; interface *
[Sysname-role-role1] rule 2 permit command system-view ; vlan *

    # Permit the user role to access VLANs 2, 4, and 50 to 100.

    [Sysname-role-role1] vlan policy deny
[Sysname-role-role1-vlanpolicy] permit vlan 2 4 50 to 100
[Sysname-role-role1-vlanpolicy] quit
[Sysname-role-role1] quit

  2. Verify that you cannot use the user role to work on any VLANs except VLANs 2, 4, and 50 to 100:

    # Verify that you can create VLAN 100 and enter the VLAN view.

    [Sysname] vlan 100
[Sysname-vlan100] quit

    # Verify that you can add port FortyGigE 1/0/1 to VLAN 100 as an access port.

    [Sysname] interface fortygige 1/0/1
[Sysname-FortyGigE1/0/1] port access vlan 100
[Sysname-FortyGigE1/0/1] quit

    # Verify that you cannot create VLAN 101 or enter the VLAN view.

    [Sysname] vlan 101
Permission denied.

Related commands

display role

role

vlan policy deny

prev

 

up

 next

permit interface 

home

 permit vpn-instance

© Copyright 2016, 2017 Hewlett Packard Enterprise Development LP